actionview 7.0.2.3 → 7.0.3.1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of actionview might be problematic. Click here for more details.

checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 251f6215ecece9893afc3c32cf8be93d5f6861c0bd586e06224fc49448e6bf61
4
- data.tar.gz: 04bf493f8468bccd4baedd09ce7d6e191ad858a5f9aaaf12fe4ff5a975576795
3
+ metadata.gz: 618f7c799c845d78785f364b28e843e39f0f85d723119744e17eb604ee715020
4
+ data.tar.gz: 0fa721ff131bbaeedc3e3d5147812ad6978327fec8b19c09ce6f56085dbd6e1c
5
5
  SHA512:
6
- metadata.gz: f0b699134a272f0c159eb8b49c5be6cd93bbaa50da1e087fad690a38aab780f49dae1d47dba6547b071845ef4ea07cde1a19f0ee1db4f9699feda6c0f8d5704b
7
- data.tar.gz: 50d6ef0114c3475db58197222335b332933a5993b4386372a63a5a38b24b2b37a52a83d627ebee54bdebd2180c74783912305138f647d199daa544c519a591cf
6
+ metadata.gz: 29014bf89dcb9c07112cf96b7ec6c2ead159767865d2105badc530789d0ec5325f1ca30925e197828f312011ad7ba5d93f61a0377602c7d25460f421aca85bc4
7
+ data.tar.gz: ed33e38b8ce72793a859f25f89c3efafc12d76f7fe00b11c32247e847d015be80941d7aa61e51509f7e5d055dc2121fd2ea59691663210af567ed1a30d5aedd8
data/CHANGELOG.md CHANGED
@@ -1,3 +1,25 @@
1
+ ## Rails 7.0.3.1 (July 12, 2022) ##
2
+
3
+ * No changes.
4
+
5
+
6
+ ## Rails 7.0.3 (May 09, 2022) ##
7
+
8
+ * Ensure models passed to `form_for` attempt to call `to_model`.
9
+
10
+ *Sean Doyle*
11
+
12
+ ## Rails 7.0.2.4 (April 26, 2022) ##
13
+
14
+ * Fix and add protections for XSS in `ActionView::Helpers` and `ERB::Util`.
15
+
16
+ Escape dangerous characters in names of tags and names of attributes in the
17
+ tag helpers, following the XML specification. Rename the option
18
+ `:escape_attributes` to `:escape`, to simplify by applying the option to the
19
+ whole tag.
20
+
21
+ *Álvaro Martín Fraguas*
22
+
1
23
  ## Rails 7.0.2.3 (March 08, 2022) ##
2
24
 
3
25
  * No changes.
@@ -1,7 +1,7 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module ActionView
4
- # Returns the version of the currently loaded Action View as a <tt>Gem::Version</tt>
4
+ # Returns the currently loaded version of Action View as a <tt>Gem::Version</tt>.
5
5
  def self.gem_version
6
6
  Gem::Version.new VERSION::STRING
7
7
  end
@@ -9,8 +9,8 @@ module ActionView
9
9
  module VERSION
10
10
  MAJOR = 7
11
11
  MINOR = 0
12
- TINY = 2
13
- PRE = "3"
12
+ TINY = 3
13
+ PRE = "1"
14
14
 
15
15
  STRING = [MAJOR, MINOR, TINY, PRE].compact.join(".")
16
16
  end
@@ -517,9 +517,9 @@ module ActionView
517
517
 
518
518
  def extract_dimensions(size)
519
519
  size = size.to_s
520
- if /\A\d+x\d+\z/.match?(size)
520
+ if /\A(\d+|\d+.\d+)x(\d+|\d+.\d+)\z/.match?(size)
521
521
  size.split("x")
522
- elsif /\A\d+\z/.match?(size)
522
+ elsif /\A(\d+|\d+.\d+)\z/.match?(size)
523
523
  [size, size]
524
524
  end
525
525
  end
@@ -219,7 +219,7 @@ module ActionView
219
219
 
220
220
  # Computes the full URL to an asset in the public directory. This
221
221
  # will use +asset_path+ internally, so most of their behaviors
222
- # will be the same. If :host options is set, it overwrites global
222
+ # will be the same. If +:host+ options is set, it overwrites global
223
223
  # +config.action_controller.asset_host+ setting.
224
224
  #
225
225
  # All other options provided are forwarded to +asset_path+ call.
@@ -324,7 +324,7 @@ module ActionView
324
324
 
325
325
  # Computes the full URL to a JavaScript asset in the public javascripts directory.
326
326
  # This will use +javascript_path+ internally, so most of their behaviors will be the same.
327
- # Since +javascript_url+ is based on +asset_url+ method you can set :host options. If :host
327
+ # Since +javascript_url+ is based on +asset_url+ method you can set +:host+ options. If +:host+
328
328
  # options is set, it overwrites global +config.action_controller.asset_host+ setting.
329
329
  #
330
330
  # javascript_url "js/xmlhr.js", host: "http://stage.example.com" # => http://stage.example.com/assets/js/xmlhr.js
@@ -351,7 +351,7 @@ module ActionView
351
351
 
352
352
  # Computes the full URL to a stylesheet asset in the public stylesheets directory.
353
353
  # This will use +stylesheet_path+ internally, so most of their behaviors will be the same.
354
- # Since +stylesheet_url+ is based on +asset_url+ method you can set :host options. If :host
354
+ # Since +stylesheet_url+ is based on +asset_url+ method you can set +:host+ options. If +:host+
355
355
  # options is set, it overwrites global +config.action_controller.asset_host+ setting.
356
356
  #
357
357
  # stylesheet_url "css/style.css", host: "http://stage.example.com" # => http://stage.example.com/assets/css/style.css
@@ -381,7 +381,7 @@ module ActionView
381
381
 
382
382
  # Computes the full URL to an image asset.
383
383
  # This will use +image_path+ internally, so most of their behaviors will be the same.
384
- # Since +image_url+ is based on +asset_url+ method you can set :host options. If :host
384
+ # Since +image_url+ is based on +asset_url+ method you can set +:host+ options. If +:host+
385
385
  # options is set, it overwrites global +config.action_controller.asset_host+ setting.
386
386
  #
387
387
  # image_url "edit.png", host: "http://stage.example.com" # => http://stage.example.com/assets/edit.png
@@ -407,7 +407,7 @@ module ActionView
407
407
 
408
408
  # Computes the full URL to a video asset in the public videos directory.
409
409
  # This will use +video_path+ internally, so most of their behaviors will be the same.
410
- # Since +video_url+ is based on +asset_url+ method you can set :host options. If :host
410
+ # Since +video_url+ is based on +asset_url+ method you can set +:host+ options. If +:host+
411
411
  # options is set, it overwrites global +config.action_controller.asset_host+ setting.
412
412
  #
413
413
  # video_url "hd.avi", host: "http://stage.example.com" # => http://stage.example.com/videos/hd.avi
@@ -433,7 +433,7 @@ module ActionView
433
433
 
434
434
  # Computes the full URL to an audio asset in the public audios directory.
435
435
  # This will use +audio_path+ internally, so most of their behaviors will be the same.
436
- # Since +audio_url+ is based on +asset_url+ method you can set :host options. If :host
436
+ # Since +audio_url+ is based on +asset_url+ method you can set +:host+ options. If +:host+
437
437
  # options is set, it overwrites global +config.action_controller.asset_host+ setting.
438
438
  #
439
439
  # audio_url "horse.wav", host: "http://stage.example.com" # => http://stage.example.com/audios/horse.wav
@@ -458,7 +458,7 @@ module ActionView
458
458
 
459
459
  # Computes the full URL to a font asset.
460
460
  # This will use +font_path+ internally, so most of their behaviors will be the same.
461
- # Since +font_url+ is based on +asset_url+ method you can set :host options. If :host
461
+ # Since +font_url+ is based on +asset_url+ method you can set +:host+ options. If +:host+
462
462
  # options is set, it overwrites global +config.action_controller.asset_host+ setting.
463
463
  #
464
464
  # font_url "font.ttf", host: "http://stage.example.com" # => http://stage.example.com/fonts/font.ttf
@@ -26,7 +26,7 @@ module ActionView
26
26
  MINUTES_IN_QUARTER_YEAR = 131400
27
27
  MINUTES_IN_THREE_QUARTERS_YEAR = 394200
28
28
 
29
- # Reports the approximate distance in time between two Time, Date or DateTime objects or integers as seconds.
29
+ # Reports the approximate distance in time between two Time, Date, or DateTime objects or integers as seconds.
30
30
  # Pass <tt>include_seconds: true</tt> if you want more detailed approximations when distance < 1 min, 29 secs.
31
31
  # Distances are reported based on the following table:
32
32
  #
@@ -291,12 +291,12 @@ module ActionView
291
291
  Tags::DateSelect.new(object_name, method, self, options, html_options).render
292
292
  end
293
293
 
294
- # Returns a set of select tags (one for hour, minute and optionally second) pre-selected for accessing a
294
+ # Returns a set of select tags (one for hour, minute, and optionally second) pre-selected for accessing a
295
295
  # specified time-based attribute (identified by +method+) on an object assigned to the template (identified by
296
296
  # +object+). You can include the seconds with <tt>:include_seconds</tt>. You can get hours in the AM/PM format
297
297
  # with <tt>:ampm</tt> option.
298
298
  #
299
- # This method will also generate 3 input hidden tags, for the actual year, month and day unless the option
299
+ # This method will also generate 3 input hidden tags, for the actual year, month, and day unless the option
300
300
  # <tt>:ignore_date</tt> is set to +true+. If you set the <tt>:ignore_date</tt> to +true+, you must have a
301
301
  # +date_select+ on the same method within the form otherwise an exception will be raised.
302
302
  #
@@ -871,6 +871,10 @@ module ActionView
871
871
  end
872
872
  end
873
873
 
874
+ def prompt_text(prompt, type)
875
+ prompt.kind_of?(String) ? prompt : I18n.translate(:"datetime.prompts.#{type}", locale: @options[:locale])
876
+ end
877
+
874
878
  # If the day is hidden, the day should be set to the 1st so all month and year choices are
875
879
  # valid. Otherwise, February 31st or February 29th, 2011 can be selected, which are invalid.
876
880
  def set_day_if_discarded
@@ -1144,7 +1148,7 @@ module ActionView
1144
1148
  I18n.translate(:"datetime.prompts.#{type}", locale: @options[:locale])
1145
1149
  end
1146
1150
 
1147
- prompt ? content_tag("option", prompt, value: "") : ""
1151
+ prompt ? content_tag("option", prompt_text(prompt, type), value: "") : ""
1148
1152
  end
1149
1153
 
1150
1154
  # Builds hidden input tag for date part and value.
@@ -438,7 +438,7 @@ module ActionView
438
438
  model = nil
439
439
  object_name = record
440
440
  else
441
- model = record
441
+ model = convert_to_model(record)
442
442
  object = _object_for_form_builder(record)
443
443
  raise ArgumentError, "First argument in form cannot contain nil or be empty" unless object
444
444
  object_name = options[:as] || model_name_from_record_or_class(object).param_key
@@ -1014,9 +1014,10 @@ module ActionView
1014
1014
  # <% end %>
1015
1015
  #
1016
1016
  # Note that fields_for will automatically generate a hidden field
1017
- # to store the ID of the record. There are circumstances where this
1018
- # hidden field is not needed and you can pass <tt>include_id: false</tt>
1019
- # to prevent fields_for from rendering it automatically.
1017
+ # to store the ID of the record if it responds to <tt>persisted?</tt>.
1018
+ # There are circumstances where this hidden field is not needed and you
1019
+ # can pass <tt>include_id: false</tt> to prevent fields_for from
1020
+ # rendering it automatically.
1020
1021
  def fields_for(record_name, record_object = nil, options = {}, &block)
1021
1022
  options = { model: record_object, allow_method_names_outside_object: false, skip_default_ids: false }.merge!(options)
1022
1023
 
@@ -1082,7 +1083,7 @@ module ActionView
1082
1083
 
1083
1084
  # Returns a label tag tailored for labelling an input field for a specified attribute (identified by +method+) on an object
1084
1085
  # assigned to the template (identified by +object+). The text of label will default to the attribute name unless a translation
1085
- # is found in the current I18n locale (through helpers.label.<modelname>.<attribute>) or you specify it explicitly.
1086
+ # is found in the current I18n locale (through <tt>helpers.label.<modelname>.<attribute></tt>) or you specify it explicitly.
1086
1087
  # Additional options on the label tag can be passed as a hash with +options+. These options will be tagged
1087
1088
  # onto the HTML as an HTML element attribute as in the example shown, except for the <tt>:value</tt> option, which is designed to
1088
1089
  # target labels for radio_button tags (where the value is used in the ID of the input tag).
@@ -2285,7 +2286,7 @@ module ActionView
2285
2286
  @template.fields_for(record_name, record_object, fields_options, &block)
2286
2287
  end
2287
2288
 
2288
- # See the docs for the <tt>ActionView::FormHelper.fields</tt> helper method.
2289
+ # See the docs for the ActionView::Helpers::FormHelper#fields helper method.
2289
2290
  def fields(scope = nil, model: nil, **options, &block)
2290
2291
  options[:allow_method_names_outside_object] = true
2291
2292
  options[:skip_default_ids] = !FormHelper.form_with_generates_ids
@@ -2297,7 +2298,7 @@ module ActionView
2297
2298
 
2298
2299
  # Returns a label tag tailored for labelling an input field for a specified attribute (identified by +method+) on an object
2299
2300
  # assigned to the template (identified by +object+). The text of label will default to the attribute name unless a translation
2300
- # is found in the current I18n locale (through helpers.label.<modelname>.<attribute>) or you specify it explicitly.
2301
+ # is found in the current I18n locale (through <tt>helpers.label.<modelname>.<attribute></tt>) or you specify it explicitly.
2301
2302
  # Additional options on the label tag can be passed as a hash with +options+. These options will be tagged
2302
2303
  # onto the HTML as an HTML element attribute as in the example shown, except for the <tt>:value</tt> option, which is designed to
2303
2304
  # target labels for radio_button tags (where the value is used in the ID of the input tag).
@@ -598,9 +598,9 @@ module ActionView
598
598
  #
599
599
  # Options:
600
600
  # * <tt>:index_as_value</tt> - Defaults to false, set to true to use the indexes from
601
- # `I18n.translate("date.day_names")` as the values. By default, Sunday is always 0.
601
+ # <tt>I18n.translate("date.day_names")</tt> as the values. By default, Sunday is always 0.
602
602
  # * <tt>:day_format</tt> - The I18n key of the array to use for the weekday options.
603
- # Defaults to :day_names, set to :abbr_day_names for abbreviations.
603
+ # Defaults to +:day_names+, set to +:abbr_day_names+ for abbreviations.
604
604
  # * <tt>:beginning_of_week</tt> - Defaults to Date.beginning_of_week.
605
605
  #
606
606
  # NOTE: Only the option tags are returned, you have to wrap this call in
@@ -9,13 +9,13 @@ module ActionView
9
9
  module Helpers # :nodoc:
10
10
  # Provides methods for converting numbers into formatted strings.
11
11
  # Methods are provided for phone numbers, currency, percentage,
12
- # precision, positional notation, file size and pretty printing.
12
+ # precision, positional notation, file size, and pretty printing.
13
13
  #
14
14
  # Most methods expect a +number+ argument, and will return it
15
15
  # unchanged if can't be converted into a valid number.
16
16
  module NumberHelper
17
17
  # Raised when argument +number+ param given to the helpers is invalid and
18
- # the option :raise is set to +true+.
18
+ # the option +:raise+ is set to +true+.
19
19
  class InvalidNumberError < StandardError
20
20
  attr_accessor :number
21
21
  def initialize(number)
@@ -10,8 +10,8 @@ module ActionView
10
10
  module RenderingHelper
11
11
  # Returns the result of a render that's dictated by the options hash. The primary options are:
12
12
  #
13
- # * <tt>:partial</tt> - See <tt>ActionView::PartialRenderer</tt>.
14
- # * <tt>:file</tt> - Renders an explicit template file (this used to be the old default), add :locals to pass in those.
13
+ # * <tt>:partial</tt> - See ActionView::PartialRenderer.
14
+ # * <tt>:file</tt> - Renders an explicit template file (this used to be the old default), add +:locals+ to pass in those.
15
15
  # * <tt>:inline</tt> - Renders an inline template similar to how it's done in the controller.
16
16
  # * <tt>:plain</tt> - Renders the text passed in out. Setting the content
17
17
  # type as <tt>text/plain</tt>.
@@ -19,8 +19,7 @@ module ActionView
19
19
  # performs HTML escape on the string first. Setting the content type as
20
20
  # <tt>text/html</tt>.
21
21
  # * <tt>:body</tt> - Renders the text passed in, and inherits the content
22
- # type of <tt>text/plain</tt> from <tt>ActionDispatch::Response</tt>
23
- # object.
22
+ # type of <tt>text/plain</tt> from ActionDispatch::Response object.
24
23
  #
25
24
  # If no <tt>options</tt> hash is passed or if <tt>:update</tt> is specified, then:
26
25
  #
@@ -47,7 +46,7 @@ module ActionView
47
46
  end
48
47
  end
49
48
 
50
- # Overwrites _layout_for in the context object so it supports the case a block is
49
+ # Overrides _layout_for in the context object so it supports the case a block is
51
50
  # passed to a partial. Returns the contents that are yielded to a layout, given a
52
51
  # name or a block.
53
52
  #
@@ -45,8 +45,8 @@ module ActionView
45
45
  include CaptureHelper
46
46
  include OutputSafetyHelper
47
47
 
48
- HTML_VOID_ELEMENTS = %i(area base br col circle embed hr img input keygen link meta param source track wbr).to_set
49
- SVG_VOID_ELEMENTS = %i(animate animateMotion animateTransform circle ellipse line path polygon polyline rect set stop use view).to_set
48
+ HTML_VOID_ELEMENTS = %i(area base br col embed hr img input keygen link meta param source track wbr).to_set
49
+ SVG_SELF_CLOSING_ELEMENTS = %i(animate animateMotion animateTransform circle ellipse line path polygon polyline rect set stop use view).to_set
50
50
 
51
51
  def initialize(view_context)
52
52
  @view_context = view_context
@@ -65,18 +65,26 @@ module ActionView
65
65
  tag_string(:p, *arguments, **options, &block)
66
66
  end
67
67
 
68
- def tag_string(name, content = nil, escape_attributes: true, **options, &block)
68
+ def tag_string(name, content = nil, **options, &block)
69
+ escape = handle_deprecated_escape_options(options)
70
+
69
71
  content = @view_context.capture(self, &block) if block_given?
70
- if (HTML_VOID_ELEMENTS.include?(name) || SVG_VOID_ELEMENTS.include?(name)) && content.nil?
71
- "<#{name.to_s.dasherize}#{tag_options(options, escape_attributes)}>".html_safe
72
+ self_closing = SVG_SELF_CLOSING_ELEMENTS.include?(name)
73
+ if (HTML_VOID_ELEMENTS.include?(name) || self_closing) && content.nil?
74
+ "<#{name.to_s.dasherize}#{tag_options(options, escape)}#{self_closing ? " />" : ">"}".html_safe
72
75
  else
73
- content_tag_string(name.to_s.dasherize, content || "", options, escape_attributes)
76
+ content_tag_string(name.to_s.dasherize, content || "", options, escape)
74
77
  end
75
78
  end
76
79
 
77
80
  def content_tag_string(name, content, options, escape = true)
78
81
  tag_options = tag_options(options, escape) if options
79
- content = ERB::Util.unwrapped_html_escape(content) if escape
82
+
83
+ if escape
84
+ name = ERB::Util.xml_name_escape(name)
85
+ content = ERB::Util.unwrapped_html_escape(content)
86
+ end
87
+
80
88
  "<#{name}#{tag_options}>#{PRE_CONTENT_STRINGS[name]}#{content}</#{name}>".html_safe
81
89
  end
82
90
 
@@ -127,6 +135,8 @@ module ActionView
127
135
  end
128
136
 
129
137
  def tag_option(key, value, escape)
138
+ key = ERB::Util.xml_name_escape(key) if escape
139
+
130
140
  case value
131
141
  when Array, Hash
132
142
  value = TagHelper.build_tag_values(value) if key.to_s == "class"
@@ -137,6 +147,7 @@ module ActionView
137
147
  value = escape ? ERB::Util.unwrapped_html_escape(value) : value.to_s
138
148
  end
139
149
  value = value.gsub('"', "&quot;") if value.include?('"')
150
+
140
151
  %(#{key}="#{value}")
141
152
  end
142
153
 
@@ -153,6 +164,27 @@ module ActionView
153
164
  true
154
165
  end
155
166
 
167
+ def handle_deprecated_escape_options(options)
168
+ # The option :escape_attributes has been merged into the options hash to be
169
+ # able to warn when it is used, so we need to handle default values here.
170
+ escape_option_provided = options.has_key?(:escape)
171
+ escape_attributes_option_provided = options.has_key?(:escape_attributes)
172
+
173
+ if escape_attributes_option_provided
174
+ ActiveSupport::Deprecation.warn(<<~MSG)
175
+ Use of the option :escape_attributes is deprecated. It currently \
176
+ escapes both names and values of tags and attributes and it is \
177
+ equivalent to :escape. If any of them are enabled, the escaping \
178
+ is fully enabled.
179
+ MSG
180
+ end
181
+
182
+ return true unless escape_option_provided || escape_attributes_option_provided
183
+ escape_option = options.delete(:escape)
184
+ escape_attributes_option = options.delete(:escape_attributes)
185
+ escape_option || escape_attributes_option
186
+ end
187
+
156
188
  def method_missing(called, *args, **options, &block)
157
189
  tag_string(called, *args, **options, &block)
158
190
  end
@@ -208,7 +240,7 @@ module ActionView
208
240
  #
209
241
  # Thus <tt>data-user-id</tt> can be accessed as <tt>dataset.userId</tt>.
210
242
  #
211
- # Data attribute values are encoded to JSON, with the exception of strings, symbols and
243
+ # Data attribute values are encoded to JSON, with the exception of strings, symbols, and
212
244
  # BigDecimals.
213
245
  # This may come in handy when using jQuery's HTML5-aware <tt>.data()</tt>
214
246
  # from 1.4.3.
@@ -216,13 +248,13 @@ module ActionView
216
248
  # tag.div data: { city_state: %w( Chicago IL ) }
217
249
  # # => <div data-city-state="[&quot;Chicago&quot;,&quot;IL&quot;]"></div>
218
250
  #
219
- # The generated attributes are escaped by default. This can be disabled using
220
- # +escape_attributes+.
251
+ # The generated tag names and attributes are escaped by default. This can be disabled using
252
+ # +escape+.
221
253
  #
222
254
  # tag.img src: 'open & shut.png'
223
255
  # # => <img src="open &amp; shut.png">
224
256
  #
225
- # tag.img src: 'open & shut.png', escape_attributes: false
257
+ # tag.img src: 'open & shut.png', escape: false
226
258
  # # => <img src="open & shut.png">
227
259
  #
228
260
  # The tag builder respects
@@ -240,7 +272,7 @@ module ActionView
240
272
  # Transforms a Hash into HTML attributes, ready to be interpolated into
241
273
  # ERB. Includes or omits boolean attributes based on their truthiness.
242
274
  # Transforms keys nested within
243
- # <tt>aria:</tt> or <tt>data:</tt> objects into `aria-` and `data-`
275
+ # <tt>aria:</tt> or <tt>data:</tt> objects into <tt>aria-</tt> and <tt>data-</tt>
244
276
  # prefixed attributes:
245
277
  #
246
278
  # <input <%= tag.attributes(type: :text, aria: { label: "Search" }) %>>
@@ -300,6 +332,7 @@ module ActionView
300
332
  if name.nil?
301
333
  tag_builder
302
334
  else
335
+ name = ERB::Util.xml_name_escape(name) if escape
303
336
  "<#{name}#{tag_builder.tag_options(options, escape) if options}#{open ? ">" : " />"}".html_safe
304
337
  end
305
338
  end
@@ -308,7 +341,7 @@ module ActionView
308
341
  # HTML attributes by passing an attributes hash to +options+.
309
342
  # Instead of passing the content as an argument, you can also use a block
310
343
  # in which case, you pass your +options+ as the second parameter.
311
- # Set escape to false to disable attribute value escaping.
344
+ # Set escape to false to disable escaping.
312
345
  # Note: this is legacy syntax, see +tag+ method description for details.
313
346
  #
314
347
  # ==== Options
@@ -268,7 +268,7 @@ module ActionView
268
268
  end
269
269
 
270
270
  # Returns +text+ transformed into HTML using simple formatting rules.
271
- # Two or more consecutive newlines(<tt>\n\n</tt> or <tt>\r\n\r\n</tt>) are
271
+ # Two or more consecutive newlines (<tt>\n\n</tt> or <tt>\r\n\r\n</tt>) are
272
272
  # considered a paragraph and wrapped in <tt><p></tt> tags. One newline
273
273
  # (<tt>\n</tt> or <tt>\r\n</tt>) is considered a linebreak and a
274
274
  # <tt><br /></tt> tag is appended. This method does not remove the
@@ -89,21 +89,6 @@ module ActionView
89
89
  #
90
90
  # ==== Options
91
91
  # * <tt>:data</tt> - This option can be used to add custom data attributes.
92
- # * <tt>method: symbol of HTTP verb</tt> - This modifier will dynamically
93
- # create an HTML form and immediately submit the form for processing using
94
- # the HTTP verb specified. Useful for having links perform a POST operation
95
- # in dangerous actions like deleting a record (which search bots can follow
96
- # while spidering your site). Supported verbs are <tt>:post</tt>, <tt>:delete</tt>, <tt>:patch</tt>, and <tt>:put</tt>.
97
- # Note that if the user has JavaScript disabled, the request will fall back
98
- # to using GET. If <tt>href: '#'</tt> is used and the user has JavaScript
99
- # disabled clicking the link will have no effect. If you are relying on the
100
- # POST behavior, you should check for it in your controller's action by using
101
- # the request object's methods for <tt>post?</tt>, <tt>delete?</tt>, <tt>patch?</tt>, or <tt>put?</tt>.
102
- # * <tt>remote: true</tt> - This will allow the unobtrusive JavaScript
103
- # driver to make an Ajax request to the URL in question instead of following
104
- # the link. The drivers each provide mechanisms for listening for the
105
- # completion of the Ajax request and performing JavaScript operations once
106
- # they're complete
107
92
  #
108
93
  # ==== Examples
109
94
  #
@@ -180,28 +165,43 @@ module ActionView
180
165
  # link_to "Nonsense search", searches_path(foo: "bar", baz: "quux")
181
166
  # # => <a href="/searches?foo=bar&baz=quux">Nonsense search</a>
182
167
  #
183
- # The only option specific to +link_to+ (<tt>:method</tt>) is used as follows:
184
- #
185
- # link_to("Destroy", "http://www.example.com", method: :delete)
186
- # # => <a href='http://www.example.com' rel="nofollow" data-method="delete">Destroy</a>
187
- #
188
- # Also you can set any link attributes such as <tt>target</tt>, <tt>rel</tt>, <tt>type</tt>:
168
+ # You can set any link attributes such as <tt>target</tt>, <tt>rel</tt>, <tt>type</tt>:
189
169
  #
190
170
  # link_to "External link", "http://www.rubyonrails.org/", target: "_blank", rel: "nofollow"
191
171
  # # => <a href="http://www.rubyonrails.org/" target="_blank" rel="nofollow">External link</a>
192
172
  #
193
- # ==== Deprecated: Rails UJS attributes
173
+ # ==== Deprecated: Rails UJS Attributes
194
174
  #
195
- # Prior to Rails 7, Rails shipped with a JavaScript library called @rails/ujs on by default. Following Rails 7,
175
+ # Prior to Rails 7, Rails shipped with a JavaScript library called <tt>@rails/ujs</tt> on by default. Following Rails 7,
196
176
  # this library is no longer on by default. This library integrated with the following options:
197
177
  #
198
- # * <tt>confirm: 'question?'</tt> - This will allow the unobtrusive JavaScript
199
- # driver to prompt with the question specified (in this case, the
178
+ # * <tt>method: symbol of HTTP verb</tt> - This modifier will dynamically
179
+ # create an HTML form and immediately submit the form for processing using
180
+ # the HTTP verb specified. Useful for having links perform a POST operation
181
+ # in dangerous actions like deleting a record (which search bots can follow
182
+ # while spidering your site). Supported verbs are <tt>:post</tt>, <tt>:delete</tt>, <tt>:patch</tt>, and <tt>:put</tt>.
183
+ # Note that if the user has JavaScript disabled, the request will fall back
184
+ # to using GET. If <tt>href: '#'</tt> is used and the user has JavaScript
185
+ # disabled clicking the link will have no effect. If you are relying on the
186
+ # POST behavior, you should check for it in your controller's action by using
187
+ # the request object's methods for <tt>post?</tt>, <tt>delete?</tt>, <tt>patch?</tt>, or <tt>put?</tt>.
188
+ # * <tt>remote: true</tt> - This will allow <tt>@rails/ujs</tt>
189
+ # to make an Ajax request to the URL in question instead of following
190
+ # the link.
191
+ #
192
+ # <tt>@rails/ujs</tt> also integrated with the following +:data+ options:
193
+ #
194
+ # * <tt>confirm: "question?"</tt> - This will allow <tt>@rails/ujs</tt>
195
+ # to prompt with the question specified (in this case, the
200
196
  # resulting text would be <tt>question?</tt>). If the user accepts, the
201
197
  # link is processed normally, otherwise no action is taken.
202
198
  # * <tt>:disable_with</tt> - Value of this parameter will be used as the
203
- # name for a disabled version of the link. This feature is provided by
204
- # the unobtrusive JavaScript driver.
199
+ # name for a disabled version of the link.
200
+ #
201
+ # ===== Rails UJS Examples
202
+ #
203
+ # link_to "Remove Profile", profile_path(@profile), method: :delete
204
+ # # => <a href="/profiles/1" rel="nofollow" data-method="delete">Remove Profile</a>
205
205
  #
206
206
  # link_to "Visit Other Site", "http://www.rubyonrails.org/", data: { confirm: "Are you sure?" }
207
207
  # # => <a href="http://www.rubyonrails.org/" data-confirm="Are you sure?">Visit Other Site</a>
@@ -255,8 +255,6 @@ module ActionView
255
255
  # <tt>:delete</tt>, <tt>:patch</tt>, and <tt>:put</tt>. By default it will be <tt>:post</tt>.
256
256
  # * <tt>:disabled</tt> - If set to true, it will generate a disabled button.
257
257
  # * <tt>:data</tt> - This option can be used to add custom data attributes.
258
- # * <tt>:remote</tt> - If set to true, will allow the Unobtrusive JavaScript drivers to control the
259
- # submit behavior. By default this behavior is an ajax submit.
260
258
  # * <tt>:form</tt> - This hash will be form attributes
261
259
  # * <tt>:form_class</tt> - This controls the class of the form within which the submit button will
262
260
  # be placed
@@ -298,25 +296,38 @@ module ActionView
298
296
  # # <input name="authenticity_token" type="hidden" value="10f2163b45388899ad4d5ae948988266befcb6c3d1b2451cf657a0c293d605a6" autocomplete="off"/>
299
297
  # # </form>"
300
298
  #
301
- # <%= button_to "Create", { action: "create" }, remote: true, form: { "data-type" => "json" } %>
302
- # # => "<form method="post" action="/images/create" class="button_to" data-remote="true" data-type="json">
299
+ # <%= button_to "Create", { action: "create" }, form: { "data-type" => "json" } %>
300
+ # # => "<form method="post" action="/images/create" class="button_to" data-type="json">
303
301
  # # <button type="submit">Create</button>
304
302
  # # <input name="authenticity_token" type="hidden" value="10f2163b45388899ad4d5ae948988266befcb6c3d1b2451cf657a0c293d605a6" autocomplete="off"/>
305
303
  # # </form>"
306
304
  #
307
- # ==== Deprecated: Rails UJS attributes
305
+ # ==== Deprecated: Rails UJS Attributes
308
306
  #
309
- # Prior to Rails 7, Rails shipped with a JavaScript library called @rails/ujs on by default. Following Rails 7,
307
+ # Prior to Rails 7, Rails shipped with a JavaScript library called <tt>@rails/ujs</tt> on by default. Following Rails 7,
310
308
  # this library is no longer on by default. This library integrated with the following options:
311
309
  #
312
- # * <tt>confirm: 'question?'</tt> - This will allow the unobtrusive JavaScript
313
- # driver to prompt with the question specified (in this case, the
310
+ # * <tt>:remote</tt> - If set to true, will allow <tt>@rails/ujs</tt> to control the
311
+ # submit behavior. By default this behavior is an Ajax submit.
312
+ #
313
+ # <tt>@rails/ujs</tt> also integrated with the following +:data+ options:
314
+ #
315
+ # * <tt>confirm: "question?"</tt> - This will allow <tt>@rails/ujs</tt>
316
+ # to prompt with the question specified (in this case, the
314
317
  # resulting text would be <tt>question?</tt>). If the user accepts, the
315
318
  # button is processed normally, otherwise no action is taken.
316
319
  # * <tt>:disable_with</tt> - Value of this parameter will be
317
320
  # used as the value for a disabled version of the submit
318
- # button when the form is submitted. This feature is provided
319
- # by the unobtrusive JavaScript driver.
321
+ # button when the form is submitted.
322
+ #
323
+ # ===== Rails UJS Examples
324
+ #
325
+ # <%= button_to "Create", { action: "create" }, remote: true, form: { "data-type" => "json" } %>
326
+ # # => "<form method="post" action="/images/create" class="button_to" data-remote="true" data-type="json">
327
+ # # <button type="submit">Create</button>
328
+ # # <input name="authenticity_token" type="hidden" value="10f2163b45388899ad4d5ae948988266befcb6c3d1b2451cf657a0c293d605a6" autocomplete="off"/>
329
+ # # </form>"
330
+ #
320
331
  def button_to(name = nil, options = nil, html_options = nil, &block)
321
332
  html_options, options = options, name if block_given?
322
333
  html_options ||= {}
@@ -183,7 +183,7 @@ module ActionView
183
183
  # be rendered directly, without wrapping a layout around the rendered view.
184
184
  #
185
185
  # Both the <tt>:only</tt> and <tt>:except</tt> condition can accept an arbitrary number of method references, so
186
- # #<tt>except: [ :rss, :text_only ]</tt> is valid, as is <tt>except: :rss</tt>.
186
+ # <tt>except: [ :rss, :text_only ]</tt> is valid, as is <tt>except: :rss</tt>.
187
187
  #
188
188
  # == Using a different layout in the action render call
189
189
  #
@@ -255,14 +255,17 @@ module ActionView
255
255
  # true:: raise an ArgumentError
256
256
  # nil:: Force default layout behavior with inheritance
257
257
  #
258
- # Return value of +Proc+ and +Symbol+ arguments should be +String+, +false+, +true+ or +nil+
258
+ # Return value of +Proc+ and +Symbol+ arguments should be +String+, +false+, +true+, or +nil+
259
259
  # with the same meaning as described above.
260
+ #
260
261
  # ==== Parameters
262
+ #
261
263
  # * <tt>layout</tt> - The layout to use.
262
264
  #
263
265
  # ==== Options (conditions)
264
- # * :only - A list of actions to apply this layout to.
265
- # * :except - Apply this layout to all actions but this one.
266
+ #
267
+ # * +:only+ - A list of actions to apply this layout to.
268
+ # * +:except+ - Apply this layout to all actions but this one.
266
269
  def layout(layout, conditions = {})
267
270
  include LayoutConditions unless conditions.empty?
268
271
 
@@ -102,7 +102,7 @@ module ActionView
102
102
  # on the default implementation (which just joins all key attributes with '_') or on your own
103
103
  # overwritten version of the method. By default, this implementation passes the key string through a
104
104
  # method that replaces all characters that are invalid inside DOM ids, with valid ones. You need to
105
- # make sure yourself that your dom ids are valid, in case you overwrite this method.
105
+ # make sure yourself that your dom ids are valid, in case you override this method.
106
106
  def record_key_for_dom_id(record) # :doc:
107
107
  key = convert_to_model(record).to_key
108
108
  key ? key.join(JOIN) : key
@@ -27,7 +27,7 @@ module ActionView
27
27
  # This would first render <tt>advertiser/_account.html.erb</tt> with <tt>@buyer</tt> passed in as the local variable +account+, then
28
28
  # render <tt>advertiser/_ad.html.erb</tt> and pass the local variable +ad+ to the template for display.
29
29
  #
30
- # == The :as and :object options
30
+ # == The +:as+ and +:object+ options
31
31
  #
32
32
  # By default ActionView::PartialRenderer doesn't have any local variables.
33
33
  # The <tt>:object</tt> option can be used to pass an object to the partial. For instance:
@@ -33,8 +33,8 @@ module ActionView
33
33
  super
34
34
  end
35
35
 
36
- # Overwrite process to set up I18n proxy.
37
- def process(*) # :nodoc:
36
+ # Override process to set up I18n proxy.
37
+ def process(...) # :nodoc:
38
38
  old_config, I18n.config = I18n.config, I18nProxy.new(I18n.config, lookup_context)
39
39
  super
40
40
  ensure
@@ -19,7 +19,7 @@ module ActionView
19
19
  def build_path_regex
20
20
  handlers = Template::Handlers.extensions.map { |x| Regexp.escape(x) }.join("|")
21
21
  formats = Template::Types.symbols.map { |x| Regexp.escape(x) }.join("|")
22
- locales = "[a-z]{2}(?:-[A-Z]{2})?"
22
+ locales = "[a-z]{2}(?:[-_][A-Z]{2})?"
23
23
  variants = "[^.]*"
24
24
 
25
25
  %r{
@@ -57,7 +57,7 @@ module ActionView
57
57
  include ActiveSupport::Testing::ConstantLookup
58
58
 
59
59
  delegate :lookup_context, to: :controller
60
- attr_accessor :controller, :output_buffer, :rendered
60
+ attr_accessor :controller, :request, :output_buffer, :rendered
61
61
 
62
62
  module ClassMethods
63
63
  def tests(helper_class)
@@ -3,7 +3,7 @@
3
3
  require_relative "gem_version"
4
4
 
5
5
  module ActionView
6
- # Returns the version of the currently loaded ActionView as a <tt>Gem::Version</tt>
6
+ # Returns the currently loaded version of Action View as a <tt>Gem::Version</tt>.
7
7
  def self.version
8
8
  gem_version
9
9
  end
@@ -91,9 +91,9 @@ module ActionView
91
91
  self.class._prefixes
92
92
  end
93
93
 
94
- # <tt>LookupContext</tt> is the object responsible for holding all
94
+ # LookupContext is the object responsible for holding all
95
95
  # information required for looking up templates, i.e. view paths and
96
- # details. Check <tt>ActionView::LookupContext</tt> for more information.
96
+ # details. Check ActionView::LookupContext for more information.
97
97
  def lookup_context
98
98
  @_lookup_context ||=
99
99
  ActionView::LookupContext.new(self.class._view_paths, details_for_lookup, _prefixes)
@@ -103,7 +103,7 @@ module ActionView
103
103
  {}
104
104
  end
105
105
 
106
- # Append a path to the list of view paths for the current <tt>LookupContext</tt>.
106
+ # Append a path to the list of view paths for the current LookupContext.
107
107
  #
108
108
  # ==== Parameters
109
109
  # * <tt>path</tt> - If a String is provided, it gets converted into
@@ -113,7 +113,7 @@ module ActionView
113
113
  lookup_context.view_paths.push(*path)
114
114
  end
115
115
 
116
- # Prepend a path to the list of view paths for the current <tt>LookupContext</tt>.
116
+ # Prepend a path to the list of view paths for the current LookupContext.
117
117
  #
118
118
  # ==== Parameters
119
119
  # * <tt>path</tt> - If a String is provided, it gets converted into
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: actionview
3
3
  version: !ruby/object:Gem::Version
4
- version: 7.0.2.3
4
+ version: 7.0.3.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - David Heinemeier Hansson
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-03-08 00:00:00.000000000 Z
11
+ date: 2022-07-12 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: activesupport
@@ -16,14 +16,14 @@ dependencies:
16
16
  requirements:
17
17
  - - '='
18
18
  - !ruby/object:Gem::Version
19
- version: 7.0.2.3
19
+ version: 7.0.3.1
20
20
  type: :runtime
21
21
  prerelease: false
22
22
  version_requirements: !ruby/object:Gem::Requirement
23
23
  requirements:
24
24
  - - '='
25
25
  - !ruby/object:Gem::Version
26
- version: 7.0.2.3
26
+ version: 7.0.3.1
27
27
  - !ruby/object:Gem::Dependency
28
28
  name: builder
29
29
  requirement: !ruby/object:Gem::Requirement
@@ -92,28 +92,28 @@ dependencies:
92
92
  requirements:
93
93
  - - '='
94
94
  - !ruby/object:Gem::Version
95
- version: 7.0.2.3
95
+ version: 7.0.3.1
96
96
  type: :development
97
97
  prerelease: false
98
98
  version_requirements: !ruby/object:Gem::Requirement
99
99
  requirements:
100
100
  - - '='
101
101
  - !ruby/object:Gem::Version
102
- version: 7.0.2.3
102
+ version: 7.0.3.1
103
103
  - !ruby/object:Gem::Dependency
104
104
  name: activemodel
105
105
  requirement: !ruby/object:Gem::Requirement
106
106
  requirements:
107
107
  - - '='
108
108
  - !ruby/object:Gem::Version
109
- version: 7.0.2.3
109
+ version: 7.0.3.1
110
110
  type: :development
111
111
  prerelease: false
112
112
  version_requirements: !ruby/object:Gem::Requirement
113
113
  requirements:
114
114
  - - '='
115
115
  - !ruby/object:Gem::Version
116
- version: 7.0.2.3
116
+ version: 7.0.3.1
117
117
  description: Simple, battle-tested conventions and helpers for building web pages.
118
118
  email: david@loudthinking.com
119
119
  executables: []
@@ -246,10 +246,10 @@ licenses:
246
246
  - MIT
247
247
  metadata:
248
248
  bug_tracker_uri: https://github.com/rails/rails/issues
249
- changelog_uri: https://github.com/rails/rails/blob/v7.0.2.3/actionview/CHANGELOG.md
250
- documentation_uri: https://api.rubyonrails.org/v7.0.2.3/
249
+ changelog_uri: https://github.com/rails/rails/blob/v7.0.3.1/actionview/CHANGELOG.md
250
+ documentation_uri: https://api.rubyonrails.org/v7.0.3.1/
251
251
  mailing_list_uri: https://discuss.rubyonrails.org/c/rubyonrails-talk
252
- source_code_uri: https://github.com/rails/rails/tree/v7.0.2.3/actionview
252
+ source_code_uri: https://github.com/rails/rails/tree/v7.0.3.1/actionview
253
253
  rubygems_mfa_required: 'true'
254
254
  post_install_message:
255
255
  rdoc_options: []
@@ -267,7 +267,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
267
267
  version: '0'
268
268
  requirements:
269
269
  - none
270
- rubygems_version: 3.1.6
270
+ rubygems_version: 3.3.3
271
271
  signing_key:
272
272
  specification_version: 4
273
273
  summary: Rendering framework putting the V in MVC (part of Rails).